Pipal gets a Kippo log parser

Fri 1st Aug 14

For a long time I've been curious what passwords lists attackers are
using when they try to brute force my ssh servers so I finally got
round to setting up a Kippo honeypot and writing a custom Pipal
Splitter to parse through the logs and pull out the info.

My honeypot has only been running a day but has already collected
over 1000 hits so I thought I'd release an analysis of those as
a taster but then find some way to automate creating a rolling
report showing the last day, week and maybe month.

The splitter is now checked in to the Pipal
GitHub Master branch with the name "kippo_file.rb" and, as the name
suggests, this parses the text log files. I am thinking of
moving my logging to MySQL so will write an appropriate splitter
when I do.

The passwords I'm seeing in the logs are about what I'd expect with
a few odd ones thrown in. I'm definitely planning to include these
as wordlists for future testing because if the bad guys are using
them some have to be ones that work.

I've included the first analysis run here but you can also download a copy.